Black Hat Day 1: A Cover Up?

LAS VEGAS, July 27: One of the primary reasons companies send their computer security experts to the annual Black Hat security conference here is to learn about new security vulnerabilities that bad guys could use to disrupt Internet communications that most of us rely upon to send e-mail and browse the Web.

The most popular speakers at the gathering typically are security researchers who have discovered new flaws in the hardware and software designed to ensure that the Web page you request is the same one that is served, and that your e-mail gets routed to its destination without incident.

The first "scandal" to emerge from Black Hat 2005 (so far, at least) is the omission of some 30 pages of text from the 1,000-page-plus conference presentation materials, which were handed out to conference attendees when they registered on Tuesday. The missing pages -- literally ripped from the massive handout -- apparently detailed the specifics of a serious security flaw present in Cisco Systems routers, devices that route the majority of Internet traffic on the Web today.

Michael Lynn, a researcher for Atlanta-based Internet Security Systems, was slated to follow the conference's keynote address Wednesday with a discussion of the Cisco hardware flaw. As of this writing, however, none of the conference organizers knew whether Lynn was expected to even show up, much less present his findings.

People close to the situation say the incident highlights the constant tension between security researchers who discover bugs in widely used technology and the companies that make those products. Neither Lynn nor Cisco officials were immediately available for comment. It's only the conference's first day, however, so I'll continue to try to find out more about this flaw.

The only "official" comment on the missing pages on the Cisco flaw was a photographed copy of a notice distributed with each bundle of conference materials. The notice states: "Due to some last minute changes beyond Black Hat's control, and at the request of the presenter, the included materials aren't up to the standards Black Hat tries to meet. Black Hat will be the first to apologize. We hope the vendors involved will follow suit."

I'm fairly impressed that you're covering this event. It's rare to see a mainstream newspaper cover one of these events, and it's even rarer to see them do so in an even-handed way. So thanks for your coverage, and I hope you have a interesting and educational experience.

Note that Mike Lynn was going to present on exploiting IOS to use vulnerabilities in code to run arbitrary code of the attacker's choosing. This is a huge deal, since a problem with IOS that was formerly limited to a DoS could be leveraged to add configuration commands to the IOS configuration, or other nasty things.

Mikes' put a great deal of work into exploring the posssible exploitation of cisco routers. He was going to make his incredible work public (Without giving out to much information to the general public). It's his right to. This is a field that has already been explored by previous hackers (phenoelite's Ultima Ratio project) but had only been advanced so far. Mike's outstanding research was going to both prove that it is possible to spawn a remote connection of a IOS-shell to a foriegn host via heap overflows without having the router crash/reload IOS software. It is important that information like this be made public. This way other security researches can study, learn, and guard against such attacks in the future. Also, a great deal of the time if vulnerablities like this are not made public they are not handled by vendors (as can be seen by the recent articles on Oracles failure to fix vulns after some 500+ days of notification). The notification of vendors and awaited public disclosure has proven to be one of the most effective ways to increase security as a whole. Just look at how much security has increased in just the past 5 years. Mike is a hero trying to be silenced by corp giants. He deserves the utmost respect for his remarkable work.

I've heard (read: this is hearsay!) that Cisco threatened the conference organizer, Jeff Moss, with some sort of restraining order. Has anyone else heard this / can anyone confirm this? And does anyone else know if DMCA was invoked as the legal method to do so? The entire playing field of vulnerability research is in quite a bit of flux right now, with commercial funding models on one side, irresponsibility on the other (*cough* Oracle *cough* *cough*), and things like DMCA threatening to drive research back underground. What a mess. Thanks for covering this though, as it's more relevant than many realize, I fear.

I passed Mike in the hallway after having lunch with Brian and Mike indicated that he has a meeting this afternoon with the EFF. He expects to lose this battle. Although I for one am in awe of his admirable ethical stance.

Nice work covering this developing story. Cisco/ISS have successfully bit the hand that feeds them. I feel sorry for the other security researchers that still work at ISS. What a major tactical and strategic blunder by both Cisco and ISS.

Please, someone who got mr. Lynn's material (I think it is BH_US_05-Lynn.pdf) would be so kind to foward it to "carloszambia@gmail.com" or "acdsp2805@hotmail.com" ? I'm a system admin and I'm concerned about the security of my cisco routers.

Googlie Google = dumba$$. This has nothing to do with U.S. politics. Cisco doesn't want to ruin their reputation and would do anything to keep it - even involving lawyers. Funny, they're using left-wing tactics to shut the public up.

Googlie Google = dumba$$. This has nothing to do with U.S. politics. Cisco doesn't want to ruin their reputation and would do anything to keep it - even involving lawyers. Funny, they're using left-wing tactics to shut the public up.

Perhaps Mr. Lynn would have been better served by discussing this security threat with the vendor as opposed to opening it up to a known hacker crowd @ black hat. It's incredibly irresponsible in my ever so humble opinion. Since he was aware of the vulnerability, and the publicity that he created, the "fear" that he had by announcing it to the world will only serve to exploit the flaw as opposed to actually protecting those that he claims were at risk
It's pathetic at best

Abaddon absolutely did the right thing. Cisco's position that this is fixed is absolutely incorrect. What they have done is made sure that new systems are not vulnerable from the XML vector for any new equipment. They have severely underplayed the potential for disaster here and made no active effort at all to strongly encourage their federal customers fix this immediately. Shame on them for letting it get this far. I am not sure what the basis of ISS's claim that they have a fix for this is based on. Are they going to put a Proventia box in front of the router? Shame on ISS for letting a vendor sweep this under. While Cisco has a big problem with its gear and IOS, ISS has a far bigger problem in that the trust level they have developed over the years is absolutely gone. Matters of national security cannot be driven by corporate greed. It was bad enough when Enron destroyed the peoples ability to retire. Mike has made the single strongest case for open source and full disclosure. I too have known Mike for years and I am immensely proud of him. People are not harping on the real problem, that being that once virtual processes are an integral part of IOS this will be easy to script and worm.